[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
bug#41619: [PATCH] Mark python-shell-virtualenv-root as safe local varia
From: |
Eli Zaretskii |
Subject: |
bug#41619: [PATCH] Mark python-shell-virtualenv-root as safe local variable |
Date: |
Mon, 15 Jun 2020 21:53:50 +0300 |
> From: Glenn Morris <rgm@gnu.org>
> Date: Sat, 13 Jun 2020 13:20:29 -0400
> Cc: eliz@gnu.org, philip.kaludercic@fau.de
>
>
> I don't understand how python-shell-virtualenv-root can be considered a
> safe local variable. Surely it controls what "python" executable gets run.
>
> As a test, I did:
>
> python3 -m venv /tmp/foo
>
> I then replaced /tmp/foo/bin/python with a shell-script:
>
> #!/bin/bash
> echo oh-oh
>
> I then ran:
> emacs -Q --eval '(setq python-shell-virtualenv-root "/tmp/foo")' -f
> python-mode
> C-c C-p
>
> This gives an inferior Python buffer with contents:
>
> oh-oh
>
> Process Python finished
>
> In other words, this looks like a recipe for arbitrary code execution.
Philip, could you please look into this? TIA.
- bug#41619: [PATCH] Mark python-shell-virtualenv-root as safe local variable, Eli Zaretskii, 2020/06/13
- bug#41619: [PATCH] Mark python-shell-virtualenv-root as safe local variable, Glenn Morris, 2020/06/13
- bug#41619: [PATCH] Mark python-shell-virtualenv-root as safe local variable,
Eli Zaretskii <=
- bug#41619: [PATCH] Mark python-shell-virtualenv-root as safe local variable, Philip K., 2020/06/16
- bug#41619: [PATCH] Mark python-shell-virtualenv-root as safe local variable, Eli Zaretskii, 2020/06/16
- bug#41619: [PATCH] Mark python-shell-virtualenv-root as safe local variable, Philip K., 2020/06/16
- bug#41619: [PATCH] Mark python-shell-virtualenv-root as safe local variable, Eli Zaretskii, 2020/06/16
- bug#41619: [PATCH] Mark python-shell-virtualenv-root as safe local variable, Philip K., 2020/06/16
- bug#41619: [PATCH] Mark python-shell-virtualenv-root as safe local variable, Eli Zaretskii, 2020/06/20